PGP and DMCA Notices

Lock and Key ImageOne of the thornier requirements of sending a DMCA notice is that that the notice must include “A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.”

The ESIGN act of 2000, theoretically, helped to clarify what qualifies as an “electronic signature” by defining it as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”

Theoretically, just about anything could qualify as an electronic signature so long as it showed an intent to sign the document and would be “logically associated with a contract.”

While this seems to open the door to a wide variety of simple signature techniques, /s/ being one of the most popular, it hasn’t prevented confusion. For example, until very recently, would not accept DMCA notices that did not include a physical, handwritten signature. This meant would-be filers had to either fax or mail in their notices, creating additional delays and hassles.

However, at least some of the largest DMCA filers have taken to using Pretty Good Privacy, PGP, as a way to ensure that their documents are signed, verifiable and that their emailed DMCA notices are valid.

Is it something you should consider? It depends on what kind of filing you are doing.

The Basics of PGP and PGP Signatures

PGP is best known as an encryption tool, as both a way to encrypt documents locally on a computer or to ensure secure transmission of them via the Web.

The idea is fairly simple. As a PGP user, you have both a public key and a private key. You pass out your public key for everyone to use, including posting them on dedicated repositories, and keep your private one to yourself.

If you wanted to send someone an encrypted email or file, you would download their public key, use it to encrypt the file. You then send the encrypted content and only the other person, with their private key, can decrypt it.

The process also works to create electronic signatures. If you wanted to sign an email, you would use your private key to create a hash of the email that the person on the other side could use your public key to verify it. Any alteration of the email would break the hash and cause the signature to be invalid.

While the idea behind PGP was to create a secure email system, as opposed to the open system we have now where all messages are “in the clear” and easily readable long their routes, PGP never caught on in a big way and has limited use.

However, at least some of the largest DMCA filers have been using PGP signatures with their DMCA notices, putting them in the extreme minority that use PGP regularly.

But why would they do that and, more importantly, is it something other filer should be looking at doing?

Why Use PGP Signatures on DMCA Notices?

There are two clear reasons to use PGP signatures with DMCA notices:

  1. Fulfill the Electronic Signature Requirement: Though excessive, I can’t imagine an argument where signing a document via PGP wouldn’t meet the electronic signature requirement of the law.
  2. Prevent Impostors: The use of a PGP key would prevent others from spoofing their activity and using their name to file false takedown notices, at least as long as the signature is validated.

Considering that PGP is free to implement and can be automated as part of the DMCA (or any email) process, larger companies have little reason NOT to use PGP signatures. Even if the benefit is small, if you’re sending out thousands of notices per day it makes sense to go ahead with it.

But what if you’re only sending one or two a week? Does it still make sense?

The answer is probably not. The reason is that the time, energy and effort requires to set up PGP and to sign outgoing documents is probably better spent elsewhere.

The reason is that, even for those filing thousands of DMCA notices a day, most of the signatures were overkill, meaning a simple text signature would have sufficed, and very few of the signatures are likely validated, save possibly by an automated system with their largest partners.

However, they are concerned about the one time someone does try to impersonate them or the one company that won’t accept a text-only signature. It’s an easy way to ensure that ALL bases are covered, because with so many notices even a .1% problem rate can mean dozens fo returned DMCA notices every month.

That can be a lot of headaches for a company trying to automate all of its activities.

Bottom Line

In the end, unless you’re an extreme case where PGP makes sense, it’s probably best to skip on it for sending your notices, especially if you aren’t technically inclined as you could do more harm than good (it can be easy to corrupt your own signatures, making them seem invalid).

Instead, it’s better to move on as is and deal with the rare outliers as they come.

Though it would be nice to live in a world where PGP was common, we’re simply not there and that makes any effort dedicated to PGP, most likely, a waste.

Still, it is fun to play around with and learn how to use. So, if you want to see what PGP is about, download GnuPGP and give it a try.

Even if you can’t use it much, it’s nice to imagine what email could be like if it had caught on.

Want to Reuse or Republish this Content?

If you want to feature this article in your site, classroom or elsewhere, just let us know! We usually grant permission within 24 hours.

Click Here to Get Permission for Free